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Quantum computers use the quantum interference of different computational 
^ . paths to enhance correct outcomes and suppress erroneous outcomes of compu- 

tations. A common pattern underpinning quantum algorithms can be identified 
. when quantum computation is viewed as multi-particle interference. We use this 

00 i approach to review (and improve) some of the existing quantum algorithms and 

. to show how they are related to different instances of quantum phase estima- 

\ tion. We provide an explicit algorithm for generating any prescribed interference 

pattern with an arbitrary precision. 



c , 

Ci . 1. Introduction 

Q^i Quantum computation is based on two quantum phenomena: quantum inter- 

ference and quantum entanglement. Entanglement allows one to encode data 
into non-trivial multi-particle superpositions of some preselected basis states, 
^ ' and quantum interference, which is a dynamical process, allows one to evolve ini- 

tial quantum states (inputs) into final states (outputs) modifying intermediate 
multi-particle superpositions in some prescribed way. Multi-particle quantum in- 
terference, unlike single particle interference, does not have any classical analogue 
and can be viewed as an inherently quantum process. 

It is natural to think of quantum computations as multi-particle processes (just 
as classical computations are processes involving several "particles" or bits). It 
turns out that viewing quantum computation as multi-particle interferometry 
leads to a simple and a unifying picture of known quantum algorithms. In this 
language quantum computers are basically multi-particle interferometers with 
phase shifts that result from operations of some quantum logic gates. To illustrate 
this point, consider, for example, a Mach-Zehnder interferometer (Fig. la). 

A particle, say a photon, impinges on a half-silvered mirror, and, with some 
probability amplitudes, propagates via two different paths to another half-silvered 
mirror which directs the particle to one of the two detectors. Along each path 
between the two half-silvered mirrors, is a phase shifter. If the lower path is 
labelled as state | 0) and the upper one as state | 1) then the state of the particle 
in between the half-silvered mirrors and after passing through the phase shifters 
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is a superposition of the type "^(1 0) + e*^*^^ '^'^^ 1 1)), where (po and are the 

settings of the two phase shifters. This is illustrated in Fig. la. The phase shifters 
in the two paths can be tuned to effect any prescribed relative phase shift (j) = 
^1 — (po and to direct the particle with probabilities |(1 + cos 4>) and ^(1 — cos (p) 
respectively to detectors "0" and "1". The second half-silvered mirror effectively 
erases all information about the path taken by the particle (path | 0) or path 1 1)) 
which is essential for observing quantum interference in the experiment. 








a) 



H 



H 



b) 



Figure 1. (a) Scheme of a Mach-Zehnder interferometer with two phase shifters. The interference 
pattern depends on the difference between the phase shifts in different arms of the interferometer, 
(b) The corresponding quantum network representation. 

Let us now rephrase the experiment in terms of quantum logic gates. We iden- 
tify the half-silvered mirrors with the single qubit Hadamard transform {H), 
defined as 

|0) ^^(|0) + |1)) 

|i) ^;^(|o)-|i)). (1.1) 

The Hadamard transform is a special case of the more general Fourier transform, 
which we shall consider in Sect. ^. 

We view the phase shifter as a single qubit gate. The resulting network corre- 
sponding to the Mach-Zehnder interferometer is shown in Fig. lb. The phase shift 
can be "computed" with the help of an auxiliary qubit (or a set of qubits) in a 
prescribed state | u) and some controlled-C/ transformation where U \ u) = e*"^ | u) 
(see Fig. 2). Here the controlled-f/ means that the form of U depends on the 
logical value of the control qubit, for example we can apply the identity trans- 
formation to the auxiliary qubits (i.e. do nothing) when the control qubit is in 
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state I 0) and apply a prescribed U when the control qubit is in state 1 1). The 
controlled-C/ operation must be followed by a transformation which brings all 
computational paths together, like the second half-silvered mirror in the Mach- 
Zehnder interferometer. This last step is essential to enable the interference of 
different computational paths to occur — for example, by applying a Hadamard 
transform. In our example, we can obtain the following sequence of transforma- 
tions on the two qubits 



\0)\u) 



-^j=,{\0) + \l))\u)'-^j=^{\0)+e^'^\l))\u) 



H 



COS ■ 



0) 



I sm ■ 



i. 

*2 I 



(1.2) 



\u) 



Uf(x)|«> = e'^^^^ \u) 



Figure 2. Network representation for the phase shift transformation of Eq. (1.2). Here a; is a 

label for the state of the first qubit. 



We note that the state of the auxiliary register | u), being an eigenstate of U, is 
not altered along this network, but its eigenvalue e*"^ is "kicked back" in front of 
the I 1) component in the first qubit. The sequence ( OD is the exact simulation 
of the Mach-Zehnder interferometer and, as we will illustrate in the following 
sections, the kernel of quantum algorithms. 

The rest of the paper is organised as follows. In the next section we dis- 
cuss Deutsch's problem (1985) which shows how differentiation between inter- 
ference patterns (different phase-shifts) can lead to the formulation of computa- 
tional problems. Then, in Sect. ^, we review, in a unified way, generalisations of 
Deutsch's problem, and propose further ones. In Sect. Q we discuss an alternative 
and convenient way to view the quantum Fourier transform. In Sect. |5|we propose 
an efficient method for phase estimation based on the quantum Fourier transform. 
In order to illustrate how some of the existing algorithms can be reformulated 
in terms of the multi-particle interferometry and the phase estimation problem, 
in Sect. ^ we rephrase Shor's order-finding algorithm (used to factor) using the 
phase estimation approach. Finally, in Sect. ^ we present a universal construc- 
tion which generates any desired interference pattern with arbitrary accuracy. 
We summarise the conclusions in Sect. 0. 
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2. Deutsch's Problem 

Since quantum phases in the interferometers can be introduced by some controlled- 
U operations, it is natural to ask whether effecting these operations can be de- 
scribed as an interesting computational problem. In this section, we illustrate 
how interference patterns lead to computational problems that are well-suited to 
quantum computations, by presenting the first such problem that was proposed 
by David Deutsch (1985). 

To begin with, suppose that the phase shifter in the Mach-Zehnder interfer- 
ometer is set either to = or to = vr. Can we tell the difference? Of course 
we can. In fact, a single instance of the experiment determines the difference: for 
(j) = the particle always ends up in the detector "0" and for (p = tt always in 
the detector "1". Deutsch's problem is related to this effect. 

Consider the Boolean functions / that map {0, 1} to {0, 1}. There are exactly 
four such functions: two constant functions (/(O) = /(I) = and /(O) = /(I) = 
1) and two "balanced" functions (/(O) = 0,/(l) = 1 and /(O) = = 0). 

Informally, in Deutsch's problem, one is allowed to evaluate the function / only 
once and required to deduce from the result whether / is constant or balanced (in 
other words, whether the binary numbers /(O) and /(I) are the same or different). 
Note that we are not asked for the particular values /(O) and /(I) but for a global 
property of /. Classical intuition tells us that to determine this global property 
of /, we have to evaluate both /(O) and /(I) anyway, which involves evaluating / 
twice. We shall see that this is not so in the setting of quantum information, where 
we can solve Deutsch's problem with a single function evaluation, by employing 
an algorithm that has the same mathematical structure as the Mach-Zehnder 
interferometer. 

Let us formally define the operation of "evaluating" / in terms of the /- 
controlled-NOT operation on two bits: the first contains the input value and 
the second contains the output value. If the second bit is initialised to 0, the /- 
controlled-NOT maps {x, 0) to {x, f{x)). This is clearly just a formalization of the 
operation of computing /. In order to make the operation reversible, the mapping 
is defined for all initial settings of the two bits, taking (x, y) to (x, y® f{x)). Note 
that this operation is similar to the controlled-NOT (see, for example, Barenco 
et al. (1995)), except that the second bit is negated when f{x) = 1, rather than 
when X = 1. 

If one is only allowed to perform classically the /-controlled-NOT operation 
once, on any input from {0,1}^, then it is impossible to distinguish between 
balanced and constant functions in the following sense. Whatever the outcome, 
both possibilities (balanced and constant) remain for /. However, if quantum 
mechanical superpositions are allowed then a single evaluation of the /-controlled- 
NOT suffices to classify /. Our quantum algorithm that accomplishes this is best 
represented as the quantum network shown in Fig. ^3, where the middle operation 
is the /-controlled-NOT, whose semantics in quantum mechanical notation are 

\x)\y)^--^'' \x)\y®f{x)) . (2.1) 

The initial state of the qubits in the quantum network is | 0) (| 0) — 1 1)) (apart 
from a normalization factor, which will be omitted in the following). After the first 
Hadamard transform, the state of the two qubits has the form (| 0) + 1 1))(| 0) — 
I 1)). To determine the effect of the /-controlled-NOT on this state, first note 
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that, for each x € {0, 1}, 

I x) (I 0) - 1 1)) I x) (I © fix)) - 1 1 © fix))) = I x) (I 0) - 1 1)) . 

(2.2) 

Therefore, the state after the /-controlled-NOT is 

((_l)/{o)|o) + (_i)/(i)li))(|o)-|l)). (2.3) 

That is, for each x, the | x) term acquires a phase factor of (— l)'^*^^), which 
corresponds to the eigenvalue of the state of the auxihary qubit under the action 
of the operator that sends | j/) to | y ® fix))- 
This state can also be written as 

(_l)/{o)(|o) + (_i)/(o)e/(i)|i)) ^ (2.4) 

which, after applying the second Hadamard transform, becomes 

(_l)/(o)|j(o)e/(l)) . (2.5) 

Therefore, the first qubit is finally in state | 0) if the function / is constant and in 
state I 1) if the function is balanced, and a measurement of this qubit distinguishes 
these cases with certainty. 

This algorithm is an improved version of the first quantum algorithm for this 
problem proposed by Deutsch (1985), which accomplishes the following. There 
are three possible outcomes: "balanced" , "constant" , and "inconclusive" . For any 
/, the algorithm has the property that: with probability ^, it outputs "balanced" 
or "constant" (correctly corresponding to /); and, with probability ^, it outputs 
"inconclusive" (in which case no information is determined about /). This is a 
task that no classical computation can accomplish (with a single evaluation of the 
/-controllcd-NOT gate). In comparison, our algorithm can be described as always 
producing the output "balanced" or "constant" (correctly). Alain Tapp (1997) 
independently discovered an algorithm for Deutsch's problem that is similar to 
ours. 
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Figure 3. Network representation of Deutsch's algorithm. 
Phil. Tmns. R. Soc. Land. A (1996) 



6 



R. Cleve, A. Ekert, C. Macchiavello and M. Mosca 



Deutsch's result laid the foundation for the new field of quantum computation, 
and was followed by several other quantum algorithms for various problems, which 
all seem to rest on the same generic sequence: a Fourier transform, followed by 
an /-controlled-f7, followed by another Fourier transform. (In some cases, such 
as Lov Grover's "database search" algorithm (1996), this sequence is a critical 
component to a larger algorithm; see Appendix B). We illustrate this point by 
reviewing several of these other algorithms in the sections that follow. 

3. Generalisations of Deutsch's Problem 

Deutsch's original problem was subsequently generalised by Deutsch and Jozsa 
(1992) for Boolean functions / : {0, 1}" {0, 1} in the following way. Assume 
that, for one of these functions, it is "promised" that it is either constant or 
balanced (i.e. has an equal number of O's outputs as I's), and consider the goal 
of determining which of the two properties the function actually has. 

How many evaluations of / are required to do this? Any classical algorithm for 
this problem would, in the worst-case, require 2"~^ + 1 evaluations of / before 
determining the answer with certainty. There is a quantum algorithm that solves 
this problem with a single evaluation of /. The algorithm is presented in Fig. ^, 
where the control register is now composed of n qubits, all initially in state | 0), 
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Figure 4. Network representation of Deutsch- Jozsa's and Bernstein- Vazirani's algorithms. 

denoted as |00---0), and, as in the quantum algorithm for Deutsch's simple 
problem, an auxiliary qubit is employed, which is initially set to state | 0) — | 1) 
and is not altered during the computation. Also, the n-qubit Hadamard transform 
H is defined as 

\x)^ y: i-ir^y) , (3.1) 

j/e{o,i}" 

for all X G {0, 1}", where 

X • y = (xi A yi) e • • • e (x„ A Vn) (3.2) 

(i.e. the scalar product modulo two). This is equivalent to performing a one-qubit 
Hadamard transform on each of the n qubits individually. The actual computation 
of the function / is by means of an /-controlled-NOT gate (the middle gate in 
Fig. which acts as 

\x)\y) ^^"^ \x)\y(B fix)) . (3.3) 

Phil. Trans. R. Soc. Land. A (1996) 



Quantum Algorithms Revisited 



7 



This is similar to Eq. ( |2.1[ ), except that now x G {0, 1}". 

Stepping through the execution of the network, the state after the first n-qubit 
Hadamard transform is apphed is 

E k)(|0)-|l)), (3.4) 

i:e{0,l}" 

which, after the /-controlled-NOT gate, is 

E (-1/(^)|^)(|0)-|1)). (3.5) 
xe{o,i}" 

Finally, after the last Hadamard transform, the state is 

E (-i)^^"^®^"-^My>(|o)-|i)). (3.6) 

a;,s/e{o,i}" 

Note that the amplitude of [ 00 • • • 0) is J2xe{o,i}" — 2^ — / constant 
then this state is (-l)/(oo- 0) | OO • • • 0) (| 0) - | 1)); whereas, if / is balanced then, 
for the state of the first n qubits, the amplitude of | 00 • • • 0) is zero. Therefore, 
by measuring the first n qubits, it can be determined with certainty whether / 
is constant or balanced. Note that, as in Deutsch's simple example, this entails a 
single /-controlled-NOT operation. (This is a slight improvement of Deutsch and 
Jozsa's original algorithm, which involves two /-controlled-NOT operations.) 

Following Deutsch and Jozsa, Ethan Bernstein and Umesh Vazirani (1993) 
formulated a variation of the above problem that can be solved with the same 
network. Suppose that / : {0, 1}" — > {0, 1} is of the form 

f{x) = (ai A xi) • • • e (a„ A a;„) e 6 = (a • x) e 6 , (3.7) 

where a E {0, 1}" and b G {0, 1}, and consider the goal of determining a. Note 
that such a function is constant if a = 00 • ■ ■ and balanced otherwise (though 
a balanced function need not be of this form). Furthermore, the classical deter- 
mination of a requires at least n /-controlled-NOT operations (since a contains 
n bits of information and each classical evaluation of / yields a single bit of in- 
formation). Nevertheless, by running the quantum network given in Fig. ^, it is 
possible to determine a with a single /-controlled-NOT operation. 

The initial conditions are the same as above. In this case, Eq. ( |3.5D takes the 
simple form 

E (-l)(""^®'|a;)(|0)-|l)), (3.8) 
xe{o,i}" 

which, after the final Hadamard transform, becomes 

(-1)" E (-i)"-('^®^My)(|o)-|i)), (3.9) 

a:,S/e{0,l}" 

which is equivalent to (— 1)^ | a) (| 0) — 1 1)). Thus, a measurement of the control 
register yields the value of a. (Bernstein and Vazirani's algorithm is similar to 
the above, except that it employs two /-controlled-NOT operations instead of 
one. Also, this problem, and its solution, is very similar to the search problems 
considered by Barbara Terhal and John Smolin (1997).) 
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The network construction presented in this section (Fig. |^ can be generahsed 
to the case of a Boolean function / : {0, 1}" {0, 1}™ (with m < n), with the 
promise that the parity of the elements in the range of / is either constant or 
evenly balanced (i.e. its output values all have the same parity, or half of them 
have parity and half have parity 1). In this case, by choosing an auxiliary register 
composed of m qubits, and setting all of them in the initial state (| 0) — 1 1)), it 
is possible to solve the problem with certainty in one run of the network. As in 
the above case, the function is constant when the n qubits of the first register are 
detected in state | 00 ■ ■ ■ 0), and evenly balanced otherwise. 

A particular subclass of the above functions consists of those that are of the 
form f{x) = {A ■ x) (B b, where j4 is an m x n binary matrix, 6 is a binary 
m-tuple, and © is applied bitwise (this can be thought of as an affine linear 
function in modulo- two arithmetic). The output string of / has constant parity 
if (11 ■ • • 1) - A = (00 • ■ ■ 0) and has balanced parity otherwise. It is possible to 
determine all the entries of A by evaluating the function / only m times, via a 
suitable multi-qubit /-controlled-NOT gate of the form 

\x)\y)^'-^'' \x)\y(Bf{x)) , (3.10) 

where x G {0,1}" and y € {0,1}™. The network described below is a generali- 
sation of that in Fig. and determines the n-tuple c • A, where c is any binary 
m-tuple. The auxiliary register is composed of m qubits, which are initialised to 
the state 

(1 0) + i-ir 1 !))(! 0) + (-1)^^ 1 1)) • • • (1 0) + i-iy- 1 1)) . (3.11) 

(This state can be "computed" by first setting the auxiliary register to the state 
\ciC2 - ■ ■ Cm) and then applying a Hadamard transform to it.) The n-qubit control 
register is initialised in state [ 00 • • • 0) , and then a Hadamard transform is applied 
to it. Then the /-controlled-NOT operation is performed, and is followed by 
another Hadamard transform to the control register. It is straightforward to show 
that the control register will then reside in the state \ c- A). By running the 
network m times with suitable choices for c, all the entries of A can be determined. 
Peter H0yer (1997) independently solved a problem that is similar to the above, 
except that / is an Abelian group homomorphism, rather than an affine linear 
function. 



4. Another Look at the Quantum Fourier Transform 

The quantum Fourier transform (QFT) on the additive group of integers mod- 
ulo 2™ is the mapping 

2^-1 

|a) ^ }J e 2-" ly) , (4.1) 

y=0 

where a G {0, . . . , 2™ — 1} (Coppersmith 1994). Let a be represented in binary 
as ai . . . a™ G {0, 1}™, where a = + 2'^-'^a2 + ■■■ + 2^ani-i + 2Pam (and 

similarly for y). 

It is interesting to note that the state (4J) is unentangled, and can in fact be 
factorised as 

(I 0) _|_ g2Ti(0.a™) I _|_ g27ri(0.a„_ia,„) [ j^J,-) . . . ^[ qn, _|_ g27rj(0.aia2...a„) | -^y-^ ^ ^^_2) 
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27riay 

\yi---ym) 

_ 27ri(0.a™.)j/i 



\yi)e 



2TTi(0.am-ia,n)y2 



y2) 



2TTi{0.aia2...am,)y 
' I ym/ 1 



(4.3) 
(4.4) 



so the coefficient of 1 1/12/2 ••• ym) in (|4.lD matches that in (^ 
A network for computing i<2" is shown in Fig. |5|. 



I am-i>" 
lam> " 



- I0>+ e 12 3 m-f m I isj. 

P^i A a a a a 

-iO>+ e 



2m 0.a,a,... a a 

^ 3 m-l m 1 1> 



Figure 5. A network for shown acting on the basis state | a\a2 ■ ■ ■ am)- At the end, the 
order of the output qubits is reversed (not shown in diagram) . 



In the above network, Rk denotes the unitary transformation 

Rk '- 



1 

e2-V2'= 



(4.5) 



■ • am) ■ 



We now show that the network shown in Fig. |5| produces the state ( [4.1| ) . The 
initial state is | a) = [ aia2 ■ • • Om) (and a/2™ = O.oia2 . . . am in binary). Applying 
H to the first qubit in | oi • ■ ■ am) produces the state 

(|0)+e2-^(°-'^i)|l))|a2---a„). 

Then applying the controlled- i?2 changes the state to 

(|0)+e2^^(°-"i"2)[i))|a2. 

Next, the controlled- i?3 produces 

(|0)+e2^^(°-''i'^2'^3)|i))|a2. 

and so on, until the state is 

(|0) + e2^*(°-"i-'^'")|l))|a2 

The next H yields 

(I 0) + e2-^(0-'*i-'*™) I 1))([ 0) + e^"*(°-''2) I 1)) I as • • • am) 
and the controlled- i?2 to -Rm-i yield 

(I 0) + e2-^(0-'*i ■■■"'-) I 1))(| 0) + e2-^(0-'*2-'*™) | 1)) [ 03 • ■ ■ am) 
Continuing in this manner, the state eventually becomes 

(I 0) + g2vri(0.ai...a™) | Q) + g27ri(0.a2...a„) | ]^^-) . . . ("j _|_ g27ri{0.a™,) j ^^-^ ^ 

which, when the order of the qubits is reversed, is state ( [4.2| ). 

Note that, if we do not know oi • • • am, but are given a state of the form ( |4.2D , 
then ai • • • Om can be easily extracted by applying the inverse of the QFT to the 
state, which will yield the state | ai • • • am)- 
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5. A Scenario for Estimating Arbitrary Phases 

In Sect. 1, we noted that differences in pliase shifts by vr can, in principle, be de- 
tected exactly by interferometry, and by quantum computations. In Sects. 2 and 
3, we reviewed powerful computational tasks that can be performed by quantum 
computers, based on the mathematical structure of detecting these phase differ- 
ences. In this section, we consider the case of arbitrary phase differences, and 
show in simple terms how to obtain good estimators for them, via the quantum 
Fourier transform. This phase estimation plays a central role in the fast quantum 
algorithms for factoring and for finding discrete logarithms discovered by Peter 
Shor (1994). This point has been nicely emphasised by the quantum algorithms 
presented by Alexi Kitaev (1995) for the Abelian stabiliser problem. 

Suppose that U is any unitary transformation on n qubits and | ip) is an eigen- 
vector of U with eigenvalue e^'^*'^, where < < 1. Consider the following sce- 
nario. We do not explicitly know f/ or | ■0) or e^'^*'^, but instead are given devices 
that perform controlled- ?7, controlled- , controlled- C/^ (and so on) operations. 
Also, assume that we are given a single preparation of the state | il^). From this, 
our goal is to obtain an m-bit estimator of (p. 

This can be solved as follows. First, apply the network of Fig. M. This network 



10) 

10) 
10) 
10) 



H 



uf =ur= 



lO^^gZ^ri (2 ^)|^^ 



|o)+ e 



2iti (2 ^) 



1) 



|0)+e2"' (2'^)n) 



|0)+ e 



Zk\ (2» 



1) 



Figure 6. A network illustrating estimation of phase (j> with j'-bit precision. The same network 
forms the kernel of the order-finding algorithm discussed in Section ^ 



produces the state 
(|0) + e2-2-V|i))(|o)+e2-2™-^ 



2™-! 



l))---(|0) + e2"*'^|l)) = e^^''^y\y) . 

(5.1) 
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As noted in the last section, in the special case where (p = O.ai . . . Um, the state 
I fli ■ ■ ■ o,ni) (and hence (p) can be obtained by just applying the inverse of the QFT 
(which is the network of Fig. 5|in the backwards direction). This will produce the 
state I ai • • • am) exactly (and hence (/>). 

However, (j) is not in general a fraction of a power of two (and may not even 
be a rational number). For such a (p, it turns out that applying the inverse of 
the QFT produces the best m-bit approximation of (p with probability at least 
4/7r^ = 0.405 .... To see why this is so, let = O.ai . . .am be the best m-bit 
estimate of (p. Then <p = ^ + 6, where < |5| < ^J^.i . Applying the inverse QFT 
to state (5.1) yields the state 



x=0 j/=0 x=0 i/=0 

2^-12™-! 

I w w ZTTiia — Xjl/ rt ■ f 

= i E E e^-^e^-^^lx) (5.2) 

x=0 y=0 

(for clarity, we are now including the normalization factors) and the coefficient 
of I oi • • • am) in the above is the geometric series 

1 2™-l ^^^^ ^ _ (g2^i5)2-\ 

— ^ (e^" )^ = ^ ]^ _ g27ri<5 j • (^•^) 

Since \6\ < it follows that 27r52" < vr, and thus |1 - e^'^^'^^™] > ^ 

4(52™. Also, |1 — e^'^*'^! < 2-it5. Therefore, the probability of observing oi • • • am 
when measuring the state is 

Note that the above algorithm (described by networks in Figs. |5| and P) consists 

of m controlled-C/^ operations, and 0{rn?') other operations. 

In many contexts (such as that of the factoring algorithm of Shor), the above 
positive probability of success is sufficient to be useful; however, in other contexts, 
a higher probability of success may be desirable. The success probability can be 
amplified to 1 — e for any e > by inflating m to m' = m + 0(log(l/e)), and 
rounding off the resulting m'-bit string to its most significant m bits. The details 
of the analysis are in Appendix C. 

The above approach was motivated by the method proposed by Kitaev (1995), 
which involves a sequence of repetitions for each unit U'^^ . The estimation of 
(p can also be obtained by other methods, such as the techniques studied for 
optimal state estimation by Serge Massar and Sandu Popescu (1995), Radoslav 
Derka, Vladimir Buzek, and Ekert (1997), and the techniques studied for use in 
frequency standards by Susana Huelga, Macchiavello, Thomas Pellizzari, Ekert, 
Martin Plenio, and Ignacio Cirac (1997). Also, it should be noted that the QFT, 
and its inverse, can be implemented in the fault tolerant "semiclassical" way (see 
Robert Griffiths and Chi-Sheng Niu (1996)). 
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6. The Order-Finding Problem 

In this section, we show how the scheme from the previous section can be 
applied to solve the order-finding problem, where one is given positive integers 
a and N which are relatively prime and such that a < N, and the goal is to 
find the minimum positive integer r such that mod = 1. There is no known 
classical procedure for doing this in time polynomial in n, where n is the number 
of bits of N. Shor (1994) presented a polynomial-time quantum algorithm for this 
problem, and noted that, since there is an efficient classical randomised reduction 
from the factoring problem to order-finding, there is a polynomial-time quantum 
algorithm for factoring. Also, the quantum order-finding algorithm can be used 
directly to break the RSA cryptosystem (see Appendix A). 

Let us begin by assuming that we are also supplied with a prepared state of 
the form 

-r-1 

l^P^) = J2 I mod iv) . (6.1) 

j=Q 

Such a state is not at all trivial to fabricate; we shall see how this difficulty 
is circumvented later. Consider the unitary transformation U that maps | x) to 

I ax mod A^). Note that | ^i) is an eigenvector of U with eigenvalue e^'^^^~\ Also, 

for any j, it is possible to implement a controlled- [/^^ gate in terms of O(n^) ele- 
mentary gates. Thus, using the state | ■0i) and the implementation of controlled- 

U"^^ gates, we can directly apply the method of Sect. || to efficiently obtain an 
estimator of ^ that has 2n-bits of precision with high probability. This is sufficient 
precision to extract r. 

The problem with the above method is that we are aware of no straightforward 
efficient method to prepare state | ipi). Let us now suppose that we have a device 
for the following kind of state preparation. When executed, the device produces 
a state of the form 

r-1 

|^^) = ^e-^ a-' modiV^, (6.2) 

j=0 

where k is randomly chosen (according to the uniform distribution) from {1, . . . , r}. 
We shall first show that this is also sufficient to efficiently compute r, and then 
later address the issue of preparing such states. For each k G {1, . . . , r}, the eigen- 
value of state I ipk) is e'^'^^^~\ and we can again use the technique from Sect. ^ 
to efficiently determine ^ with 2n-bits of precision. From this, we can extract 
the quantity ^ exactly by the method of continued fractions. If k and r happen 
to be coprime then this yields r; otherwise, we might only obtain a divisor of r. 
Note that, we can efficiently verify whether or not we happen to have obtained 
r, by checking if mod = 1. If verification fails then the device can be used 
again to produce another | ipk). The expected number of random trials until k is 
coprime to r is 0(log log(A^)) = O(logn). 

In fact, the expected number of trials for the above procedure can be improved 
to a constant. This is because, given any two independent trials which yield ^ 

and it suffices for ki and k2 to be coprime to extract r (which is then the 
least common denominator of the two quotients) . The probability that ki and /c2 
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are coprime is bounded below by 

1 - divides h] Pi[p divides /C2] > 1 - Vp^ > 0.54 . (6.3) 

p prime p prime 

Now, returning to our actual setting, where we have no special devices that 
produce random eigenvectors, the important observation is that 

|l) = ElV'fc), (6.4) 

k=l 

and 1 1) is an easy state to prepare. Consider what happens if we use the previous 
quantum algorithm, but with state | 1) substituted in place of a random | V'fc)- 
In order to understand the resulting behavior, imagine if, initially, the control 
register were measured with respect to the orthonormal basis consisting of | "01)) 
. . . , {ipr)- This would yield a uniform sampling of these r eigenvectors, so the 
algorithm would behave exactly as the previous one. Also, since this imagined 
measurement operation is with respect to an orthonormal set of eigenvectors 
of U, it commutes with all the controlled-C/'^^ operations, and hence will have 
the same effect if it is performed at the end rather than at the beginning of 
the computation. Now, if the measurement were performed at the end of the 
computation then it would have no effect on the outcome of the measurement of 
the control register. This implies that state 1 1) can in fact be used in place of a 
random | ipk), because the relevant information that the resulting algorithm yields 
is equivalent. This completes the description of the algorithm for the order-finding 
problem. 

It is interesting to note that the algorithm that we have described for the 
order-finding problem, which is follows Kitaev's methodology, results in a net- 
work (Fig. |6| followed by Fig. ^ backwards) that is identical to the network for 
Shor's algorithm, although the latter algorithm was derived by an apparently 

different methodology. The sequence of controlled-C/^^ operations is equivalent 
to the implementation (via repeated squarings) of the modular exponentiation 
function in Shor's algorithm. This demonstrates that Shor's algorithm, in effect, 
estimates the eigenvalue corresponding to an eigenstate of the operation U that 
maps I x) to I ax mod A^) . 



7. Generating Arbitrary Interference Patterns 

We will show in this section how to generate specific interference patterns with 
arbitrary precision via some function evaluations. We require two registers. The 
first we call the control register; it contains the states we wish to interfere. The 
second we call the auxiliary register and it is used solely to induce relative phase 
changes in the first register. 

Suppose the first register contains n bits. For each n-bit string | x) we require 
a unitary operator Ux- All of these operators Ux should share an eigenvector 
I ^) which will be the state of the auxiliary register. Suppose the eigenvalue of 
I ^) for X is denoted by e'^'^^'^^^\ By applying a unitary operator to the auxiliary 
register conditioned upon the value of the first register we will get the following 
interference pattern: 
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2"-l 2"-l 
2"-l 

= J2 e^''''^^''^ I a;) I ^) • (7.2) 

a:=0 

The Conditional Uf gate that was described in section 2 can be viewed in this 
way. Namely, the operator C//(o) which maps \ y) to \ y®f{0)) and the opera- 
tor which maps \y) to | y © /(I)) have common eigenstate | 0) — 1 1). The 

operator i7/(j) has eigenvalue e^'^*^~ for j = 0, 1. 

In general, the family of unitary operators on m qubits which simply add a 
constant integer k modulo 2™ share the eigenstates 

E'e-'"*|y), (7.3) 
y=o 

and kick back a phase change of e^'^'^. 

For example, suppose we wish to create the state | 0) + e^'^*'^ | 1) where ^ = 
0.aia2a3 . . . am- 

We could set up an auxiliary register with m qubits and set it to the state 

^Y^e-'-''^y\y). (7.4) 

By applying the identity operator when the control bit is | 0) and the 'add 1 
modulo 2"*' operator, Ui, when the control bit is | 1) we see that 

2m_l 

|0) E e-^^"^y\y) 
y=o 



gets mapped to itself and 



goes to 



2m_l 



1) E 1 y + 1 mod 2"^) (7.5) 
y=o 

= e^^'^'f' 1 1) J2 e-^''^'^(^+^) I y + 1 mod 2"*) (7.6) 

y=0 

= e^''''f'\l) E e"^"''^^ I y) . (7.7) 

2/=0 

(7.8) 
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An alternative is to set the m-bit auxiliary register to the eigenstate 

J2e-^y\y) (7.9) 
y=o 

and conditionally apply which adds a = 0102 . . . am to the auxiliary register. 
Similarly, the state 

|1) J2 e-^y\y) 
y=o 

goes to 

2™-l 

|1) ^ e-^y\y + amod2"') (7.10) 

2'"-! 

= e^^*"^ 1 1) Yl e-i^(2/+a) I y + a mod 2"^) (7.11) 

?/=0 

2'"-l 

^g27ri0^^ ^ e-i^^|y). (7.12) 

2/=0 

Similarly, if = a6/2™ for some integers a and 6, we could also obtain the 
same phase "kick-back" by starting with state 

J2 e-^'^'^yiy) (7.13) 
y=o 

and conditionally adding b to the second register. 
The method using eigenstate 

e-^^\y) (7.14) 

y=o 

has the advantage that we can use the same eigenstate in the auxiliary register 
for any (p. So in the case of an n-qubit control register where we want phase 
change e^'^^'f'^^^ for state | x) and if we have a reversible network for adding (f>{x) 
to the auxiliary register when we have | x) in the first register, we can use it on a 
superposition of control inputs to produce the desired phase "kick-back" e^^^'^^^'> 
in front of |x). Which functions (f>{x) will produce a useful result, and how to 
compute them depends on the problems we seek to solve. 



8. Conclusions 

Various quantum algorithms, which may appear different, exhibit remarkably 
similar structures when they are cast within the paradigm of multi-particle inter- 
ferometry. They start with a Fourier transform to prepare superpositions of clas- 
sically different inputs, followed by function evaluations (i.e. /-controlled unitary 
transformations) which induce interference patterns (phase shifts), and are fol- 
lowed by another Fourier transform that brings together different computational 
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paths with different phases. The last Fourier transform is essential to guarantee 
the interference of different paths. 

We believe that the paradigm of estimating (or determining exactly) the eigen- 
values of operators on eigenstates gives helpful insight into the nature of quantum 
algorithms and may prove useful in constructing new and improving existing algo- 
rithms. Other problems whose algorithms can be deconstructed in a similar man- 
ner are: Simon's algorithm (1993), Shor's discrete logarithm algorithm (1994), 
Boneh and Lipton's algorithm (1995), and Kitaev's more general algorithm for 
the Abelian Stabiliser Problem (1995), which first highlighted this approach. 

Wc have also shown that the evaluation of classical functions on quantum 
superpositions can generate arbitrary interference patterns with any prescribed 
precision, and have provided an explicit example of a universal construction which 
can accomplish this task. 
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Appendix A. Cracking RSA 

What we seek is a way to compute P modulo N given P^, e, and N, that is, 
a method of finding eth roots in the multiplicative group of integers modulo N 
(this group is often denoted by Zn* and contains the integers coprime to N). It 
is still an open question whether a solution to this problem necessarily gives us 
a polynomial time randomised algorithm for factoring. However factoring does 
give a polynomial time algorithm for finding eth roots for any e relatively prime 
to ^(A^) and thus for cracking RSA. Knowing the prime factorisation of N, say 
UpTpT ■■■Pk^ W6 can easily compute 0(Ar) = A/"nr=i(l - ^)- Then we can 
compute d such that ed = 1 mod 0(A), which implies P'^'^ = P modulo A. 

However, to crack a particular instance of RSA, it suffices to find an integer d 
such that ed = 1 modulo ord(P), that is ed = ovd{P)k + 1 for some integer k. 
We would then have C"^ = P^'^ = pord(P)fc+i = p 

modulo A. 

Since e is relatively prime to <^(A) it is easy to see that ord(P) = ord(P'^) = 
ord(C). So given C = P^, we can compute ord(P) using Shor's algorithm and 
then compute d satisfying de = 1 modulo ord(P) using the extended Euclidean 
algorithm. Thus, we do not need several repetitions of Shor's algorithm to find 
the order of a for various random a; we just find the order of C and solve for P 
regardless of whether or not this permits us to factor N. 

Appendix B. Concatenated Interference 

The generic sequence: a Hadamard/Fourier transform, followed by an /-controUed- 
U, followed by another Hadamard/Fourier transform can be repeated several 
times. This can be illustrated, for example, with Grover's data base search al- 
gorithm (1996). Suppose we are given (as an oracle) a function which maps 
{0, 1}" to {0, 1} such that fk{x) = S^k for some k. Our task is to find k. Thus in a 
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set of numbers from to 2" — 1 one element has been "tagged" and by evaluating 
/fc we have to find which one. To find k with probability of 50% any classical 
algorithm, be it deterministic or randomised, will need to evaluate a minimum 
of 2"~^ times. In contrast, a quantum algorithm needs only 0(2"/'^) evaluations. 
Grover's algorithm can be best presented as a network shown in Fig. |^. 



|0) 
10) 
I 

10) 



10)- ID 



H 



H 



H 



H 



10)- ID 



Figure 7. Network representation of Grover's algorithms. By repeating the basic sequence 2"^^ 
times, value k is obtained at the output with probability greater than 0.5. 



Appendix C. Amplifying success probability when estimating phases 

Let be a real number satisfying < < 1 which is not a fraction of 2™, 
0.aia2---am be the closest m-bit approximation to (j) so that 
+ S where < |(5| < ^m+i ■ For such a (f), we have already shown that 



and let ^ 



applying the inverse of the QFT to (5J) and then measuring yields the state | a) 
with probability at least 4/7r^ = 0.405 .... 

WLOG assume 0<6 < ^r^. For t satisfying -2"^-^ < t < 2™"! let at denote 
the amplitude of | a — t mod 2™). It follows from (^.2|) that 



at 



1 l-{e 



27ri(5+^)N2" 



1 _ ^2-Ki(&+^) 



Since 



then 



,27ri((5+2wr) 



< 



■k/2 



4(5 + 



l«i| < 



2'"4((5 + 



< 



2™+i((5 + 



The probability of getting an error greater than is 



E 

fc<t<2™-i 



I |2 , 



< 



E 



-1 



1 



< 



4(t + 2"^(5) 

^ '2m — \ 

E 7^+ E 



E 

2™-i<i<-fc 

-(fc+1) 

mx\2 ~^ E 



t=k 
2™-l_l 



t=-2" 
1 



^ 4(t + 2™5)2 



t=fe+i 



4(t 



1)2 



(CI) 

(C2) 

(C3) 

(C4) 
(C5) 
(C6) 
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2™-l 



t=2k ^^2) 
r2"^~l 1 

< s^- 

(CIO) 

So, for example, if we wish to have an estimate that is within 1/2"+^ of the 
value (p with probability at least 1 — e it suffices to use this technique with m = 
n + riog2 He + bits. 
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